Information Technology

SonicWall is warning customers to apply firmware updates to its SMA 100 Series appliances for remote access from mobile devices, in order to patch vulnerabilities of critical and medium severity. SonicWall says in an advisory that it “strongly urges” customers to apply new fixes to address eight flaws that the US Cybersecurity and Infrastructure Agency (CISA) warns would allow a remote attacker to take control of an affected system. CISA recommends customers apply the necessary firmware updates “as soon as possible”, in part because they’ve historically been popular targets for attackers.    

ZDNet Recommends

The eight bugs range from critical to medium severity and affect a sensitive piece of the network since they provide employees with remote access to internal resources. SEE: A winning strategy for cybersecurity (ZDNet special report)The eight bugs were discovered by researchers at Rapid7 and NCC Group. The most dangerous of them has a severity rate of 9.8 out of a possible 10.SonicWall’s Secure Mobile Access (SMA) SMA 100 Series appliances for small and medium businesses enable secure remote access from mobile devices anywhere via its NetExtender and Mobile Connect VPNs. Affected SMA 100 series appliances include SMA 200, 210, 400, 410 and 500v products. SonicWall notes its SMA 100 series appliances with WAF enabled are also impacted by the majority of the vulnerabilities.

“There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible,” SonicWall notes. It adds that there was no evidence of these vulnerabilities being exploited in the wild. However, now that the bugs have been publicly disclosed, attackers may soon develop exploits for them, especially since bugs in SMA 100 appliances have been exploited quickly in the past. Rapid7 says it “will release the technical details and proof-of-concept code in January 2022 as part of our coordinated vulnerability disclosure process.”CISA emphasizes that it warned in July that attackers were actively targeting a previously patched vulnerability in SonicWall SMA 100 series appliances. FireEye’s incident response group Mandiant in May reported that threat actors linked to the notorious Darkside ransomware-as-a-service were exploiting the flaw (CVE-2021-20016) in SMA 100 seres appliances. Highlighting the speed with which attackers exploit new flaws in key equipment, SonicWall had released firmware to address the issues in late April. DarkSide was network responsible for the Colonial Pipeline ransomware attack that downed its US east cost fuel distribution network for nearly a week in May.   More

A Google Pixel user last week found a bug that prevented them from being able to call 911 on their device. Initially reported on the GooglePixel subreddit forum by /u/KitchenPictures5849, the user said in a thread that the bug arose whenever a call was made to 911, which would lead to their Pixel device freezing. According to Google, it appears the glitch is due to the Microsoft Teams app being installed on Pixel devices after it conducted an investigation into the matter. The spokesperson said the bug only occurred for Pixel devices running Android 10 or above, whenever Microsoft Teams was installed but an account was not logged into the app. “We believe the issue is only present on a small number of devices with the Microsoft Teams app installed when the user is not logged in, and we are currently only aware of one user report related to the occurrence of this bug. We determined that the issue was being caused by unintended interaction between the Microsoft Teams app and the underlying Android operating system,” a Google spokesperson wrote in the thread. The Google spokesperson said both Google and Microsoft have prioritised resolving the issue and that a Microsoft Teams app update would be rolled out soon. In the meantime, Google has advised users with Microsoft Teams installed on any Pixel device running Android 10 or above, and where an account is not logged into the app, to uninstall and reinstall the app. This fix will only address the bug in the interim, however, and a Microsoft Teams app update will still be required to fully resolve the issue. “We advise users to keep an eye out for an update to the Microsoft Teams app, and ensure it is applied as soon as available,” the Google spokesperson said.  Related Coverage More

An artist’s impression of a ransomware incident
Image: iStock
Queensland government-owned energy generator CS Energy provided an update on Wednesday that those behind its November ransomware incident was unlikely to be a state-based actor. On the same morning, Sydney’s Daily Telegraph landed with a front page claiming China was behind the incident. Thanks to the appearance of CS Energy on a leak site listing victims of Conti ransomware run by the Wizard Spider group for the purposes of double extortion, the claims made by News Limited would appear to be unfounded. In September, the US Cybersecurity and Infrastructure Security Agency said the group uses a ransomware-as-a-service model, but instead of paying affiliates a cut of the earnings that come from ransoms, the group pays the deployers of the ransomware a wage. Rob Joyce, director of cybersecurity at NSA, said at the time that the group has historically targeted critical infrastructure. For its part, CS Energy said it has continued to generate electricity and feed it into the grid since the incident and has “systems and safeguards [with] layers of separation and protection, which enabled it to contain and protect its critical infrastructure”. “Upon becoming aware of the incident, we quickly took further assertive action to physically separate the two environments,” CEO Andrew Bills said.

“We continue to progressively restore our systems and are working closely with cyber security experts and relevant state and federal agencies.”A few days after the incident, the generator, which is one of three generator companies in Queensland, reassured retail customers it would be able to bill them per the usual cycle. Earlier this year, the generator company experienced a fire in its turbine hall at Callide power station that led to outages across the state. Related Coverage More

The National Institute of Standards and Technology (NIST) released a graph showing the number of vulnerabilities reported in 2021, finding 18,378 this year. The figure set a record for the fifth straight year in a row, but 2021 was different in some ways. The number of high severity vulnerabilities fell slightly compared to 2020, with 3,646 high risk vulnerabilities this year compared to last year’s 4,381. For 2021, the number of medium and low risk vulnerabilities reported — 11,767 and 2,965 respectively — exceeded those seen in 2020. 
NIST
Opinions on the graph were mixed, with some confused about why there were fewer high-severity vulnerabilities and others saying the report jived with what they saw throughout the year.Bugcrowd CTO Casey Ellis said at the most basic level, technology itself is accelerating and vulnerabilities are inherent to software development. The more software that is produced, the more vulnerabilities will exist, Ellis explained. When it comes to the breakdown of high, medium and low-severity vulnerabilities, Ellis said lower impact issues are easier to find and are generally reported more often, with the opposite being true of high impact issues. “High impact issues tend to be more complicated, remediated more quickly once found, and — in the case of systemic high-impact vulnerability classes — are often prioritized for root-cause analysis and anti-pattern avoidance in the future, and thus can often be fewer in number,” Ellis said.

Pravin Madhani, CEO of K2 Cyber Security, said the lower numbers of high severity vulnerabilities may be due to better coding practices by developers, explaining that many organizations have adopted a “shift left” in recent years and seek to put more of an emphasis on ensuring security is a higher priority earlier on in the development process. The overall increase in reported vulnerabilities was due in no small part to the COVID-19 pandemic, which forced almost every organization globally to adopt technology in one way or another, Madhani added. “The ongoing COVID-19 pandemic has continued to push many organizations to rush getting their applications to production, as part of their digital transformation and cloud journeys, meaning the code may have been through less QA cycles, and there may have been more use of 3rd party, legacy, and open source code, another risk factor for more vulnerabilities,” Madhani said. “So while companies may be coding better, they’re not testing as much, or as thoroughly, hence more vulnerabilities made it to production.”Other cybersecurity experts like Viakoo CEO Bud Broomhead said the report was alarming because of how many exploitable vulnerabilities remain “in the wild” for threat actors to take advantage of.  The record number of new vulnerabilities, combined with the slow pace of patching and updating devices to remediate vulnerabilities, means that the risk is higher than ever for organizations to be breached, especially through unpatched IoT devices, Broomhead added. Vulcan Cyber CEO Yaniv Bar-Dayan said that what concerned him most was the mounting pile of security debt that cybersecurity professionals can’t seem to get ahead of. If IT security teams are leaving 2020’s vulnerabilities unaddressed, the real 2021 number is cumulative and becoming harder and harder to defend against, Bar-Dayan explained.”We are seeing more advanced persistent threats like the SolarWinds hack that daisy chain vulnerabilities and exploits to inflict maximum damage to digital organizations. As an industry we are still learning from and cleaning up after that one. And it is unfair to put all the blame on SolarWinds considering how the bad actors used known, old, unaddressed vulnerabilities that should have been mitigated by IT security teams well before the SolarWinds software supply chain hack was ever hatched,” Bar-Dayan said.”Cybersecurity teams need to do more than just scan for vulnerabilities. We need to work together as an industry to better measure, manage and mitigate cyber risk, or we will be crushed by this growing mountain of vulnerability debt.” More

General Paul M. Nakasone, head of US Cyber Command confirmed during a recent national security event that his agency has begun taking direct action against international ransomware gangs as part of a larger effort to curtail attacks on American companies and infrastructure. 

The General explained that his agency is working hand-in-hand with the NSA, FBI,  and other federal entities while during a talk at the Reagan National Defense Forum, a meeting of national security officials held on Saturday. After the talk, he noted to The New York Times that he sees Cyber Command’s mission right now as focusing on trying to “understand the adversary and their insights better than we’ve ever understood them before.”   The country’s cybersecurity defense authority began targeting ransomware threats from organized crime rings around nine months ago, well before high-profile incidents like the Colonial Pipeline shutdown began to show just how severely ransomware attacks could disrupt national and global infrastructure. While the General was cagey about the details of ongoing and previous counter operations, earlier reports have shown Cyber Command taking a hand in both punitive actions like those targeting Russian ransomware group REevil, as well as restoration efforts like the ones undertaken by the federal agencies following the Colonial Pipeline incident. The latter resulted in the “majority” of the ransom paid to the DarkSide ransomware ring being seized and recovered by the DOJ. These actions are part of a larger effort called for by an executive order signed by the President in May of this year. The 2021 legislation instituted a nationwide governmental shift to security practices like mandatory 2FA use, zero-trust policies, and the creation of a new Cybersecurity Safety Review Board. General Nakasone’s team has been combating similar threats since at least 2018 when he took command of the agency. The head of Cyber Command expounded on the importance of “speed, agility, and unity of effort” at the recent event. He noted that these three factors were key in combating threats, regardless of whether they came from nation-states, proxies, or independent criminal organizations. Going forward, Nakasone hopes to see a federal drive towards a “whole-of-government effort.” The General sees diplomatic outreach programs and an expanded and borderless focus on protecting critical infrastructure assets as a vital step toward protecting the country against ransomware attacks and other cyber incursions.  More

Cybersecurity firm Salt Labs discovered a GraphQL API authorization vulnerability in a large B2B financial technology platform. It would give attackers the ability to submit unauthorized transactions against customer accounts and harvest sensitive data, all by manipulating API calls to steal sensitive data and initiate unauthorized transactions.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Salt Labs would not say which company was affected as a way to protect users, but it explained that the vulnerabilities have been fixed since they were discovered. The platform offers financial services in the form of API-based mobile applications and SaaS to small- and medium-sized businesses and commercial brands, according to Salt Labs. Michael Isbitski, technical evangelist at Salt Security, told ZDNet that GraphQL API adoption is slower than REST but growing rapidly because of the potential benefits to front-end design and performance. A recent survey from Postman found that while most companies use REST, GraphQL and others like webhooks, WebSockets, GraphQL, and SOAP are gaining traction. “Authorization flaws in APIs are very common, hence why they land on the OWASP API Security Top 10 list,” Isbitski explained. “This type of authorization flaw is also more likely to occur with GraphQL APIs as opposed to REST APIs just because of the nature of how GraphQL can be used to combine API calls and mutate queries.”Salt Labs identified this vulnerability in the company’s SaaS platform and mobile applications it interfaces, resulting from the failure to implement authorization checks correctly. Researchers found that some API calls were able to access an API endpoint that required no authentication, further enabling attackers to enter any transaction identifier and pull back data records of previous financial transactions. The company said GraphQL APIs are “inherently difficult to secure” due to their unique flexibility and structure.

Salt Security CEO Roey Eliyahu said GraphQL provides some advantages in query options compared to REST APIs, but this flexibility comes with risk. A single API call can include multiple separate queries. “A prevalent vulnerability related to GraphQL is that developers must implement authorization on every layer of a multi-layer GraphQL query to prevent attacks. This side effect increases the burden on development and operations teams, and it can extend delivery timelines for applications with many API endpoints,” the researchers wrote in a report about the issue. “It also can create a situation that is more vulnerable to human error. Some endpoints may be forgotten or not properly dealt with, causing its own set of issues down the road.”The researchers explained that the authentication and authorization in mobile app designs are often broken or absent because developers focus on usability. Cyber criminals often know that codebases are managed by different teams and search for vulnerabilities in both front-end clients and back-end services. SSL or TLS typically encrypt web API communications, giving enterprises the sense that they are protected when, in many cases, they may not be. “The prevailing assumption in the industry around GraphQL is that these APIs are uncommon, obscure targets of attack and therefore safer,” Isbitski said. “This assumption is wrong. Security through obscurity has always been a poor strategy, and the complexity of GraphQL APIs makes securing them more challenging.”Netenrich threat hunter John Bambenek told ZDNet that when mobile app developers make applications and API services, they wrongly believe an attacker could not misuse this information, since the phone itself doesn’t provide visibility.”It is tempting to believe that mobile apps create an obscurity layer that is hard for attackers to crack, but decades of experience show that security through obscurity just doesn’t get the job done,” Bambenek said. “Organizations need to make sure every transaction requires authorization and every step of a transaction is checked to make sure the permissions are appropriate for what is being attempted.” More

I recently had a friendly discussion with a marketing guy who contended that the term “small business” didn’t apply to home-based businesses because small businesses have between a hundred and 1,500 employees and revenues from about $1M to about $40M. Technically, if you accept the US Small Business Administration’s very wrong-headed definition of small business, that’s correct. But I defy you to tell a small restaurant owner or an IT consultant with five or ten employees that their business isn’t a small business. Afterall, roughly 54% of employer businesses (business with employees) are smaller than the SBA’s definition of small business.

This is even more the case in these times of Covid. Many employees are working from home, whether or not they’re employed by companies with huge or tiny payrolls. But the distinction is important — and this is what my marketing friend was getting at — because if you look at tiny businesses, they tend to need different networking infrastructure than so-called small businesses the size of small departments or divisions. For our purposes, specifically for this article, we’re looking at VPN solutions that can fit businesses operating from homes as well as small offices. Two of them, NordLayer and Perimeter 81, can scale to larger small businesses. The other two, Surfshark and ExpressVPN, have tools that help small business owners manage multiple subscriptions and licenses. Let’s take a look.

Start with VPN and add all the business management features you need

Cloud VPN: YesRemote Access VPN: YesSite-to-Site VPN: YesSSO Option: YesTeam Permissions: YesCentralized Billing: YesNordSec, the folks behind the hugely popular NordVPN service, have an entire array of offerings for small and medium businesses. Packaged under the NordLayer brand, Nord offers business VPN, along with multi-layer network protection, all coordinated in a centralized dashboard.Also:NordLayer checks all the boxes, allowing work-from-home individuals to connect into the corporate on-site network over an encrypted tunnel, as well as providing site-to-site and dedicated IP options. Additionally, NordLayer provides business-level management functions including integration into single sign-on solutions, team permission management, and centralized billing.

Comprehensive security company with a solid business VPN offering

Cloud VPN: YesRemote Access VPN: YesSite-to-Site VPN: NoSSO Option: YesTeam Permissions: YesCentralized Billing: YesPerimeter 81 calls its cloud VPN offering a “VPN alternative.” Yet, it provides the same functionality — to protect your data in transit to the cloud and then from the cloud to your on-premises and remote networks. Beyond VPN, Perimeter 81 offers a wide range of additional network security services, including a software firewall and network segmentation.Home-based business operators buying into Perimeter 81 may find themselves put off by Perimeter 81’s minimum-seat requirements of 5 or 10 seats, depending on plan. Overall, we think this is a solution better suited to larger small businesses and small departments than home-based businesses. But it may well be ideal for companies that have responded to Covid by sending workers home and need a way to extend a secure network into all their employee’s homes.

Consumer VPN with some behind-the-scenes business services

Cloud VPN: NoRemote Access VPN: YesSite-to-Site VPN: NoSSO Option: NoTeam Permissions: NoCentralized Billing: YesSurfshark is interesting in that it’s hard to tell the company has business options. However, when I asked, I was told, “Although Surfshark is not a business VPN per se, we do offer plans for small businesses that want to enhance their employee privacy and security. For instance, last year when the pandemic hit the world, we did a campaign to support small businesses around the globe with 6-month VPN accounts so they could ensure the adequate level of security for their employees when moving to work from home, without having to go through a tedious business VPN set up process.”Also: How does Surfshark work? How to set up & use the VPNWe’ve looked at the Surfshark interface before, and agree with the company that, “The key value of Surfshark for small businesses is that one does not need to have a dedicated IT person to set up a secure VPN tunnel while at the same time getting use of VPN security features.”Do be aware that there is no indication of consolidated billing or business features on the main Surfshark.com site. To get business-level services, the company advises you reach out to partners@surfshark.com and begin a dialog there. If you do, let me know how it works out for you.

Controversial consumer VPN with business-based billing

Cloud VPN: NoRemote Access VPN: YesSite-to-Site VPN: NoSSO Option: NoTeam Permissions: NoCentralized Billing: YesExpressVPN has had a difficult year due to the controversy surrounding its new owner. Even so, the company’s product has generally been solid, and because it offers some business billing options, it’s worth including in this list.See also:While the company does not offer a business product, it does offer volume discounts for companies who wish to buy for multiple employees. For consolidated billing, we’re told you can contact its support team, who will set up a master account along with child accounts, which allow you to pay for an entire team with one payment. 

Are considerations different when getting a VPN for business?

Yes. Somewhat. Whether you’re using a VPN for work or for personal use, you want your network traffic to be secure. Personal users often want to hide their location or spoof remote servers (sometimes for good reasons, sometimes just to location-shift entertainment). Business users don’t need that capability as much, although executives traveling may not want their locations to be triangulated. Considerations are also different if you’re a worker assigned to use a business VPN, compared to the manager choosing a VPN for use by employees. Again, communications security is the top priority in a business VPN, followed by performance, and often management features like access control and billing.

Can I use a consumer VPN for business use?

That totally depends…on everything. Here’s the thing. If you have a tiny company of just a few employees, a good consumer VPN should do just fine. Your biggest issue will be consolidating payments, followed by assigning and revoking accounts. But if you’re in a big small business, say with a thousand employees, you’re going to need a much larger set of IT-level features. In this article, we’re focusing on very small companies and those working from home, and for those businesses, a business-class VPN or even a good consumer VPN will do just fine.

Will a VPN let me monitor what my employees say across the Internet?

Uh. No. VPNs encapsulate data from one point to another so it can’t be monitored. In theory, you could monitor communications once packets reach your corporate network, but that’s a lot more complex than setting up a basic VPN, and it’s pretty slimy and reprehensible as well. Don’t spy on your employees. Judge them by their actions and whether they meet their commitments. Just sayin’. Don’t.

How we choose Finding the right participants for this list was an interesting exercise. I wanted to stay away from the larger-scale corporate VPN solutions because anything that requires a special certification or multiple full-time IT people was for larger businesses than I was trying to reach in this article. So everything had to be reasonably deployable by an experienced tech user, not a formally-trained and certified IT professional. Second, everything had to have some kind of unified billing. It didn’t make sense to call something a business plan if you had to make 10 individual credit card payments each month for your ten employees’ VPN accounts. While the checkout mechanism for ExpressVPN and Surfshark do not offer unified billing, both companies advised us that you can contact them and they’ll set up account management services for multiple accounts. And, finally, we’ve been testing most of these products for going on years now. While I don’t use any one VPN constantly, I have run most of these through my testing process, and the results are provided along with the recommendation. How you should choose Keep in mind that everyone’s needs are different and VPNs are particularly challenging because your performance is determined by the country you’re in, your ISP, your connection, and even the current weather conditions. I always recommend choosing vendors with a liberal refund policy (at least 30 days), and test, test, test to see if the service performs as you need it to.

Beyond that, keep an eye out for any egregious renewal pricing and conditions. Most of the vendors I spotlight either don’t have renewal fees that slam you after a few years or, if they do, I point them out so you can watch out for them. One more thing I recommend is you start a dialog with the various customer and tech support teams. If you’re running your company on these services, find out how responsive and communicative they are.

ZDNet Recommends

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Cybersecurity workers and other employees are suffering from a high level of burnout that is putting organisations at greater risks from cyberattacks and data breaches. Research by cybersecurity company 1Password suggests that the challenge of remote working two years into the COVID-19 pandemic is leaving staff feeling burned out and less likely to pay attention to security guidelines.

ZDNet Recommends

According to the survey, burned-out employees are more apathetic about workplace cybersecurity measures and are three times more likely to ignore suggested best practices. SEE: A winning strategy for cybersecurity (ZDNet special report) Risky behaviours include downloading software and apps without IT’s express permission, and thus increasing the amount of shadow IT on networks that’s difficult for the IT department to properly manage. There’s also the risk that these employees could download fake or malicious versions of apps, which could potentially deliver malware and other threats from hackers. The paper also warns that burned-out employees are much more likely to use easy-to-guess passwords to secure their corporate accounts. The use of weak passwords makes it much easier for cyber criminals to breach accounts and use that access to snoop around the network, steal information and lay down the foundation for wider malicious activity. “The biggest threat is internal apathy. When people don’t use security protocols properly, they leave our company vulnerable,” said one unnamed cybersecurity professional cited in the report.

In many organisations, it’s cybersecurity staff who are there to counter activity that could make the network vulnerable to cyberattacks – but according to the paper, cybersecurity professionals are more burned out than other workers. The research suggests that 84% of security professionals are feeling burned out, compared with 80% of other workers. And when cybersecurity employees are burned out, they’re more than likely to describe themselves as “completely checked out” and “doing the bare minimum at work” – something that one in 10 cybersecurity professionals described as their state of mind compared with one in 20 of other employees. That attitude could easily result in security threats being missed or flaws not being fixed in time, something that could put the whole company at risk from cyber incidents. “Pandemic-fueled burnout – and resultant workplace apathy and distraction – has emerged as the next significant security risk,” said Jeff Shiner, chief executive officer at 1Password. “It’s particularly surprising to find that burned-out security leaders, charged with protecting businesses, are doing a far worse job of following security guidelines – and putting companies at risk”. The rise of remote and/or hybrid working has changed many workplaces in a permanent way and it’s vital that the correct cybersecurity strategies are put in place to manage risk. Additionally, managers need to talk to employees about the challenges working from home can bring in addition to the benefits – therefore, gaining a better understanding over why burnout happens and what can be done to counter both burnout and the associated security risks. “It’s now a business imperative for companies to engage the humans at the heart of security operations with tools, training and ongoing support to create a culture of security and care that helps us all stay safe at work,” said Shiner.
MORE ON CYBERSECURITY More